practice breaking things
The application uses Passkey-based 2FA. The server's verification logic has a critical flaw. Bypass the passkey step without an authenticator.